[Congressional Record Volume 167, Number 146 (Friday, August 13, 2021)]
[Extensions of Remarks]
[Page E897]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




 ENSURING COORDINATION BETWEEN THE DEPARTMENT OF HOMELAND SECURITY AND 
  THE DEPARTMENT OF ENERGY IN ADDRESSING CYBERSECURITY THREATS TO THE 
                             ENERGY SECTOR

                                 ______
                                 

                        HON. BENNIE G. THOMPSON

                             of mississippi

                    in the house of representatives

                        Friday, August 13, 2021

  Mr. THOMPSON of Mississippi. Madam Speaker, while I agree with my 
colleagues about the importance of securing our Nation's energy 
infrastructure, I am concerned that--as currently written--H.R. 2931, 
H.R. 2928, and H.R. 3119 may weaken the core tenets of the U.S. 
Government's framework for protecting critical infrastructure.
  That framework is currently laid out in Presidential Policy Directive 
21 (PPD-21) and has been reinforced in numerous Federal policies and 
statutes enacted since 9/11. It has been embraced by Republican and 
Democratic administrations alike and by Congress. Earlier this year, 
Congress strongly reaffirmed its commitment to the PPD-21 framework in 
the FY2021 National Defense Authorization Act.
  PPD-21 designates the Department of Homeland Security (DHS) as the 
lead Federal agency responsible for coordinating Federal efforts to 
secure critical infrastructure across all 16 sectors--while working 
hand-in-hand with Sector Risk Management Agencies (SRMAs).
  I support enhancing the Department of Energy (DOE)'s capacity, as the 
SRMA for the energy sector, to engage with the sector as a liaison, 
trusted partner, and valuable source of sector-specific expertise.
  That said, it is important that legislation authorizing such activity 
acknowledge the role that DHS, through the Cybersecurity and 
Infrastructure Security Agency (CISA), plays as the Nation's risk 
advisor and Federal civilian interface for private sector engagement 
and collaboration.
  Congress has often reiterated that it expects CISA to use its 
authorities and cross-sector convening power to maintain a bird's eye 
view of threats across sectors--taking threat intelligence from one 
sector and integrating it into a broader threat context to help other 
owners and operators protect themselves.
  But CISA can only do this if its SRMA partners work with it in a 
collaborative way that complements--rather than duplicates--the tools, 
services, resources CISA brings in support of these broader efforts.
  Herein lies the issue with H.R. 2931, H.R. 2928, and H.R. 3119: the 
measures, as drafted, would authorize DOE to carry out responsibilities 
and develop capabilities that overlap with or duplicate those already 
housed within CISA, and there is no directive for DOE to do so in 
coordination with DHS.
  There are several problems that could arise from this lack of 
coordination.
  First, it runs the risk of creating a siloed, stovepiped approach to 
managing information about threats to the energy sector--a critically 
important, lifeline sector that has been under sustained attack for 
decades.
  Congress has worked to break down these siloes since 9/11, which is 
why DHS was tasked as a ``central hub'' for critical infrastructure in 
the first place.
  Second, having multiple Federal agencies carry out overlapping roles 
and responsibilities creates confusion among private sector 
stakeholders, who are not sure who to call during a crisis, or who to 
partner with during steady state.
  This duplication also means that the Federal Government is forced to 
spread an already thin supply of cybersecurity experts and resources 
even thinner.
  Finally, cybersecurity is rarely--if ever--a sector-specific problem.
  Critical infrastructure is interconnected, and technologies used in 
one sector are often deployed throughout others, as are the 
vulnerabilities embedded in those technologies. Adversaries can use the 
distributed nature of these vulnerabilities to exploit owners and 
operators across industry lines, at scale.
  Take, for instance, the recent SolarWinds campaign. Russian 
intelligence agencies were able to corrupt a software update deployed 
across the public and private sectors, then use it as a foothold to 
infiltrate an equally ubiquitous set of Microsoft tools and products to 
seize an untold amount of sensitive information.
  Hostile foreign nations like China and Russia do not organize cyber 
operations one sector at a time. They wage simultaneous, parallel 
campaigns designed to yield the highest possible reward at the lowest 
possible cost.
  It is not uncommon for attacks on the energy sector to coincide with, 
or foreshadow, similar attacks on other sectors. In 2018, DHS and the 
FBI warned about a ``multi-stage intrusion campaign'' by Russia that 
targeted ``U.S. government entities, as well as organizations in the 
energy, nuclear, commercial facilities, water, aviation, and critical 
manufacturing sectors.''
  While cyberattacks against the energy sector have accelerated, the 
sector does not exist in a vacuum.
  Though I am concerned about the possibility that these challenges may 
arise, it is not a foregone conclusion that they will. If DOE 
collaborates with CISA to forge a more productive and effective 
partnership, I believe many of these challenges can be overcome.
  Last year, I came to the floor to ask the chairman of the Energy and 
Commerce Committee to confirm his intent that the activities authorized 
by this legislation be carried out in coordination with DHS. He 
responded it was ``absolutely'' his intent that these bills be carried 
out with DHS ``first and foremost.''
  I also asked for clarification that these bills do not detract from, 
erode, or infringe upon any existing authorities or policies laid out 
in the Cybersecurity and Infrastructure Security Act of 2018, PPD-41, 
Executive Order 13636, or Executive Order 13691. He responded that 
``nothing in these bills is intended to infringe, curtail, or otherwise 
affect authorities of [DHS] . . . in any way, shape, or form.''
  I would like to reiterate these commitments from one year ago, and I 
look forward to working with the Committee on Energy and Commerce to 
conduct vigorous oversight to ensure that DOE is coordinating with DHS 
in a manner that reflects congressional intent.

                          ____________________